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Claims 

[d] 1. A computer-implemented method for specifying and 
enforcing entitlements for performance of financial 
transactions, the method comprising: 
providing a hierarchical entitlement structure with inher- 
itance for specifying entitlements for performing finan- 
cial transactions; 

receiving user input for defining a plurality of entitle- 
ment groups of said hierarchical entitlement structure, 
wherein each entitlement group has specified permis- 
sions to perform financial transactions, limits on perfor- 
mance of said financial transactions, and membership of 
each user; 

in response to a particular user request to perform a fi- 
nancial transaction at runtime, identifying the particular 
user's membership in a certain entitlement group; and 
determining whether to allow the particular user to per- 
form the financial transaction based on permissions and 
limits of said hierarchical entitlement structure applica- 
ble to the particular user's performance of the financial 
transaction. 

[c2] 2. The method of claim 1, wherein said hierarchical enti- 



tlement structure provides that a given entitlement 
group inherits permissions provided to its parent entitle- 
ment group in said hierarchical entitlement structure. 

[c3] 3. The method of claim 2, wherein said step of defining a 
plurality of entitlement groups includes restricting per- 
missions inherited by an entitlement group from its par- 
ent entitlement group in said hierarchical entitlement 
structure. 

[c4] 4. The method of claim 1, wherein said step of defining a 
plurality of entitlement groups includes defining permis- 
sions to access particular objects in a financial applica- 
tion. 

[c5] 5. The method of claim 4, wherein said step of defining a 
plurality of entitlement groups includes defining permis- 
sions to perform functions on said particular objects. 

[c6] 6. The method of claim 4, wherein at least some of said 
particular objects represent bank accounts. 

[c7] 7. The method of claim 1, wherein said limits comprise 
limitations on values of financial transactions to be per- 
formed. 

[c8] 8. The method of claim 1, wherein said step of defining a 
plurality of entitlement groups includes defining limits 



comprising a selected one of per-transaction limits and 
cumulative limits over a period of time. 

[c9] 9. The method of claim 1, wherein said step of defining a 
plurality of entitlement groups includes defining permis- 
sions applying to a selected one of functions of a finan- 
cial application and objects of a financial application. 

[do] 10. The method of claim 1, wherein said step of defining 
a plurality of entitlement groups includes defining limits 
applicable to individual users. 

[c11] 11. The method of claim 1, wherein said step of defining 
a plurality of entitlement groups includes defining limits 
applicable collectively to members of an entitlement 
group. 

[d2] 12. The method of claim 1, wherein said step of defining 
a plurality of entitlement groups includes defining limits 
applying collectively to a particular entitlement group 
and children entitlement groups of said particular enti- 
tlement group in said hierarchical entitlement structure. 

[d3] 13. The method of claim 1, further comprising: 

tracking financial transactions performed for purposes of 
determining compliance with limits. 

[d4] 14. The method of claim 13, wherein said step of track- 



ing financial transactions performed includes maintain- 
ing running total values of financial transactions per- 
formed in cache for improved performance. 

[d5] 15. The method of claim 14, wherein said step of deter- 
mining whether to allow the particular user to perform 
the financial transaction includes determining whether 
any limits have been exceeded based on the running to- 
tal values and the value of the financial transaction re- 
quested by the particular user. 

[d6] 16. The method of claim 1, further comprising: 

maintaining permission information for entitlement 
groups in the hierarchical entitlement structure in cache 
to improve system performance. 

[d7] 17. The method of claim 16, wherein said permission in- 
formation is modeled as three-tuples representing nega- 
tive permissions. 

[d8] 18. The method of claim 1, wherein permissions pro- 
vided to an entitlement group include permissions to ad- 
minister a certain other entitlement group. 

[d9] 19. The method of claim 18, wherein permissions to ad- 
minister a particular entitlement group include modify- 
ing permissions of said certain other entitlement group. 



[c20] 20. The method of claim 18, wherein said permissions to 
administer a certain other entitlement group are subject 
to limitations defined for the entitlement group having 
said permissions to administer. 

[c21] 21. The method of claim 1, wherein permissions pro- 
vided to an entitlement group include permissions to ex- 
tend a certain other entitlement group. 

[c22] 22. The method of claim 21, wherein permissions to ex- 
tend a certain other entitlement group include permis- 
sions to define a child entitlement group of said particu- 
lar entitlement group. 

[c23] 23. A computer-readable medium having processor- 
executable instructions for performing the method of 
claim 1. 

[c24] 24. A downloadable set of processor-executable instruc- 
tions for performing the method of claim 1. 



